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re application of: 



Va'^'e FAVIER ET AL. 



Examiner: 



SerjalNo.: 09/740,801 



Group Art Unit: 



led: December 21 , 2000 



Corres. To FR 99/16118 
Filed December 21, 1999 



For: METHOD AND DEVICE FOR 

CONFIGURING A FIREWALL IN A 
COMPUTER SYSTEM 



McLean, Virginia 



SUPPLEMENTAL PRELIMINARY AMENDMENT 



Honorable Commissioner of Patents and Trademarks 
Washington, DC 20231 



Prior to examination of the above-identified application, please amend the 
application as follows: 
IN THE SPECIFICATION: 

Page 1 , after the title and before the first paragraph, insert the following 
heading at the left-hand margin: 
" Field of the Invention--: 

Page 1 , line 8, delete "The Prior Art" and substitute -Description of Related 
Art — at the left-hand margin; 

Page 4, line 1 , delete "Presentation of the Figures" and substitute the 
following heading at the left-hand margin: 
" Brief Description of the Drawings- : 

Page 4, at line 15, delete "Description of an Embodiment of the Invention" and 
substitute the following heading at the left-hand margin: 
" Detailed Description of the Preferred Embodiment's) -- ; 
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Page 1 1 , after the last paragraph ending "...global.", insert the following new 
paragraph: 

-While this invention has been described in conjunction with specific 
embodiments thereof, it is evident that many alternatives, modifications and 
variations will be apparent to those skilled in the art. Accordingly, the preferred 
embodiments of the invention as set forth herein, are intended to be illustrative, not 
limiting. Various changes may be made without departing from the true spirit and full 
scope of the invention as set forth herein and defined in the claims — 

IN THE CLAIMS: 

Please cancel claims 1 - 10 in their entirety and without prejudice and 
substitute the following new claims: 
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1 "11 . A method for configuring a firewall (1 ) in a connputer system (2) 

2 comprising objects (3), and resources (4), for establishing an access control policy 

3 for the objects (3), the method comprising grouping the objects (3) of the system into 

4 internal and external protection domains (5, 6), ensuring establishing a firewall (a) for 

5 protection of an internal domain (5) relative to an external domain (6), and applying 

6 to the firewall a rule for controlling access between a source resource (4) and a 

7 destination resource only if said source and destination resources belong to the 

8 same internal or external protection domain (5 or 6). 



1 12. A method according to claim 1 1 , further comprising determining the 

2 protection domain of the resources (4) by means of firewall network interfaces (10) 

3 through which communications pass in order to reach said resources. 

1 1 3. A method according to claim 1 2, further comprising defining zones (8) 



2 comprising networks or subnetworks, associating the network interfaces (10) of 

3 firewalls to which said zones are connected with an internal or external domain, 

4 determining the incoming and outgoing network interfaces (10) of current traffic, 

5 analyzing whether said network interfaces are attached to an internal or external 

6 domain, and applying the rule for controlling access only if both network interfaces 

7 are attached to the same internal domain (5), and the resources belong to the same 

8 protection domain. 



1 1 4. A method according to claim 1 1 , characterized in that it composes 

2 groups of objects (3) for which the access control policy is identical and the rule for 

3 controlling access is applied between each of the resources of a source group and a 

4 destination group. 

1 15. A method according to claim 12, characterized in that it composes 

2 groups of objects (3) for which the access control policy is identical and the rule for 

3 controlling access is applied between each of the resources of a source group and a 

4 destination group. 

TYSO01:91 3 1660V80IT21 47-906761 ]02\28\01 a 



T21 47-906761 -US3845/PB 

1 1 6. A method according to claim 1 3, characterized in that it composes 

2 groups of objects (3) for which the access control policy is identical and the rule for 

3 controlling access is applied between each of the resources of a source group and a 

4 destination group. 

1 17. A method according to claim 1 1 , further comprising characterizing the 

2 rule for controlling access with a local or global scope, applying the rule to the 

3 resources in question only if said resources belong to the same protection domain 

4 (5) or (6) when the scope of the rule is local, and applying the rule to all of the 

5 resources in question when the scope of the rule is global. 

1 1 8. A method according to claim 1 2, further comprising characterizing the 

2 rule for controlling access with a local or global scope, applying the rule to the 

3 resources in question only if said resources belong to the same protection domain 

4 (5) or (6) when the scope of the rule is local, and applying the rule to all of the 

5 resources in question when the scope of the rule is global. 

1 1 9. A method according to claim 1 3, further comprising characterizing the 

2 rule for controlling access with a local or global scope, applying the rule to the 

3 resources in question only if said resources belong to the same protection domain 

4 (5) or (6) when the scope of the rule is local, and applying the rule to all of the 

5 resources in question when the scope of the rule is global. 

1 20. A method according to claim 14, further comprising characterizing the 

2 rule for controlling access with a local or global scope, applying the rule to the 

3 resources in question only if said resources belong to the same protection domain 

4 (5) or (6) when the scope of the rule is local, and applying the rule to all of the 

5 resources in question when the scope of the rule is global. 

1 21 . A method according to claim 1 5, further comprising characterizing the 

2 rule for controlling access with a local or global scope, applying the rule to the 

3 resources in question only if said resources belong to the same protection domain 
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4 (5) or (6) when the scope of the rule is local, and applying the rule to all of the 

5 resources in question when the scope of the rule is global. 

1 22. A method according to claim 1 6, further comprising characterizing the 

2 rule for controlling access with a local or global scope, applying the rule to the 

3 resources in question only if said resources belong to the same protection domain 

4 (5) or (6) when the scope of the rule is local, and applying the rule to all of the 

5 resources in question when the scope of the rule is global. 

1 23. A device for configuring a firewall (1 ) in a computer system (2) 

2 comprising resources (4) including objects (3) having an access control policy and 

3 an established central configuration machine (14) for grouping the objects (3) of the 

4 system into internal (5) and external (6) protection domains, a firewall (1) ensuring 

5 the protection of an internal domain (5) relative to an external domain (6), and means 

6 for applying to the firewall in question a rule for controlling access between a source 

7 resource (4) and a destination resource only if said source and destination resources 

8 belong to the same protection domain (5) or (6). 

1 24. A device according to claim 23, characterized in that it further 

2 comprises a graphical interface (15) from which an administrator (7) can enter the 

3 domains (5) and (6) and the access control rules. 

1 25. A device according to claim 23, characterized in that the graphical 

2 interface allows the administrator (7) to define a local or global scope for the access 

3 control rule, and in that the machine (14) applies the rule to the resources in question 

4 only if said resources belong to the same protection domain (5) or (6) when the 

5 scope of the rule is local, and applies the rule to all of the resources in question 

6 when the scope of the rule is global. 

1 26. A device according to claim 24, characterized in that the graphical 

2 interface allows the administrator (7) to define a local or global scope for the access 

3 control rule, and in that the machine (14) applies the rule to the resources in question 

4 only if said resources belong to the same protection domain (5) or (6) when the 



TYSO0 1 :91 31 660v80IT2 1 47-90676 1 102\28\01 



5 



T21 47-906761 -US3845/PB 



5 scope of the rule is local, and applies the rule to all of the resources in question 

6 when the scope of the rule is global.-- 
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IN THE ABSTRACT: 

Please add the following Abstract. 
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REMARKS 



This Supplemental Preliminary Amendment is made to eliminate informalities 
in the specification, claims and abstract resulting from a literal translation of the 
French text, to eliminate the use of multiple dependent claims, and to insert headings 
to conform the application to U.S. practice. 

The present application is believed to be in condition for examination, which 
action is earnestly solicited. 



Respectfully submitted. 



Miles & Stockbridge P.C. 





Edward J. Kwidracki 
Registration No. 20,604 



Miles & Stockbridge, P.C. 
1751 Pinnacle Drive, Suite 500 
McLean, Virginia 22102-3833 
Tel.: (703) 903-9000 
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